Re: files in /var/tmp

To: debian-user@lists.debian.org
Subject: Re: files in /var/tmp
From: amacater@galactic.demon.co.uk (Andrew M.A. Cater)
Date: Sun, 8 Apr 2007 23:09:28 +0000
Message-id: <[🔎] 20070408230928.GA16241@galactic.demon.co.uk>
In-reply-to: <[🔎] 1176072273.461970510df3d@mail.bluebottle.com>
References: <[🔎] 1176072273.461970510df3d@mail.bluebottle.com>

On Sun, Apr 08, 2007 at 03:44:33PM -0700, Kamaraju Kusumanchi wrote:
> Hi all
> 
> Can someone throw some light on as to what does /var/tmp/fast-mech.tgz and /var/tmp/raw directories do?
> 
> My system (Debian Etch) has been recently compromised and I deleted most of the suspicious files. However I am not sure about these. Is it safe to delete them or do you think some process expects them to be there?
> 
> According to FHS 2.3, files in /var/tmp are preserved across reboots and applications might expect some temp files there. Other than that, I could not find any other info on fast-mech.tgz file and on /var/tmp/raw directory...
> 
> 
> $ls -al fast-mech.tgz raw
> -rw-r--r-- 1 rajulocal rajulocal 165248 2007-02-04 20:51 fast-mech.tgz
> 
> raw:
> total 1348
> drwxr-xr-x 2 rajulocal rajulocal   4096 2007-01-24 02:34 ./
> drwxrwxrwt 6 root      root        4096 2007-04-08 18:26 ../
> -rw-r--r-- 1 rajulocal rajulocal    273 2007-01-24 02:30 1
> -rw-r--r-- 1 rajulocal rajulocal    316 2007-01-24 02:30 2
> -rw-r--r-- 1 rajulocal rajulocal    316 2007-01-24 02:31 3
> -rw-r--r-- 1 rajulocal rajulocal  39415 2007-02-28 19:03 Chio.seen
> -rwxr-xr-x 1 rajulocal rajulocal 608374 2005-05-27 15:40 httpd
> -rw-r--r-- 1 rajulocal rajulocal  35268 2007-02-28 19:03 New.seen
> -rw-r--r-- 1 rajulocal rajulocal   1043 2007-02-28 19:03 raw.levels
> -rw------- 1 rajulocal rajulocal      6 2006-12-29 04:44 raw.pid
> -rw-r--r-- 1 rajulocal rajulocal   1043 2007-02-28 19:03 raw.session
> -rw-r--r-- 1 rajulocal rajulocal   1091 2007-01-24 02:34 raw.set
> -rwxr-xr-x 1 rajulocal rajulocal 608374 2005-05-27 15:40 sshd
> -rw-r--r-- 1 rajulocal rajulocal  35861 2007-02-28 19:03 VaLy.seen
> 
> $tar tzvf fast-mech.tgz
> drwxr-xr-x piotr/piotr       0 2007-01-24 02:34 raw/
> -rw-r--r-- piotr/piotr     273 2007-01-24 02:30 raw/1
> -rw-r--r-- piotr/piotr     316 2007-01-24 02:30 raw/2
> -rw-r--r-- piotr/piotr     316 2007-01-24 02:31 raw/3
> -rw------- piotr/piotr       6 2006-12-29 04:44 raw/raw.pid
> -rw-r--r-- piotr/piotr    1091 2007-01-24 02:34 raw/raw.set
> -rwxr-xr-x piotr/piotr  608374 2005-05-27 15:40 raw/httpd
> 
> 
> Any help is greatly appreciated.
> 
> raju
> 
Looks like someone has put in an extra web-server for you and an sshd to 
control it with. Isn't that kind :)

If you wish to pass the machine on to law enforcement or your university 
sysadmins for forensic type investigation, do so now and don't touch 
anything else. You may also want to look at Helix and Auditor (two 
security-oriented Knoppix type releases for security and forensics on 
Live CD).

Otherwise: nuke it from orbit. Boot from a copy of knoppix or the Ubuntu 
live CD. Use tar to archive anything you really need and scp to copy it 
off the infected machine. [Booting from a live CD means that you 
shouldn't be using possibly infected binaries on the machine hard disk 
itself.] 

Use Darik's Boot and Nuke to wipe the disk as thoroughly as you can. 
Then re-install with Etch and clean media.

HTH,

Andy 

> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: files in /var/tmp
  - From: "Daniel B." <REMOVEdanielCAPS@fgm.com>

References:
- files in /var/tmp
  - From: Kamaraju Kusumanchi <kamaraju@bluebottle.com>

Prev by Date: files in /var/tmp
Next by Date: Re: files in /var/tmp
Previous by thread: files in /var/tmp
Next by thread: Re: files in /var/tmp
Index(es):
- Date
- Thread